[selinux-policy: 1683/3172] from Dan: This is a new policy for the User Switching capability coming in gnome.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:30:30 UTC 2010 

commit c224d91c7bdc13f0effa9e036fcf31248d3a2208
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Mar 19 18:01:15 2007 +0000

    from Dan:
    This is a new policy for the User Switching capability coming in gnome.
    
    consolekit is a daemon that communicates with xdm_t and hal through dbus to change the
    ownership/access on certain devices when the login session changes from one user to another

 Changelog                             |    2 +
 policy/modules/services/consolekit.fc |    1 +
 policy/modules/services/consolekit.if |   40 +++++++++++++++++++++++++++
 policy/modules/services/consolekit.te |   49 +++++++++++++++++++++++++++++++++
 policy/modules/system/unconfined.te   |    6 +++-
 5 files changed, 97 insertions(+), 1 deletions(-)
---
diff --git a/Changelog b/Changelog
index 5f37eed..b831d81 100644
--- a/Changelog
+++ b/Changelog
@@ -32,6 +32,8 @@
 - Clean up file context regexes in apache and java, from Eamon Walsh.
 - Patches from Dan Walsh:
 	Thu, 25 Jan 2007
+- Added modules:
+	consolekit (Dan Walsh)
 
 * Tue Dec 12 2006 Chris PeBenito <selinux at tresys.com> - 20061212
 - Add policy patterns support macros.  This changes the behavior of
diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc
new file mode 100644
index 0000000..e8268f8
--- /dev/null
+++ b/policy/modules/services/consolekit.fc
@@ -0,0 +1 @@
+/usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
new file mode 100644
index 0000000..0c123a3
--- /dev/null
+++ b/policy/modules/services/consolekit.if
@@ -0,0 +1,40 @@
+## <summary>Framework for facilitating multiple user sessions on desktops.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run consolekit.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`consolekit_domtrans',`
+	gen_require(`
+		type consolekit_t, consolekit_exec_t;
+	')
+
+	domtrans_pattern($1,consolekit_exec_t,consolekit_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	consolekit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_dbus_chat',`
+	gen_require(`
+		type consolekit_t;
+		class dbus send_msg;
+	')
+
+	allow $1 consolekit_t:dbus send_msg;
+	allow consolekit_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
new file mode 100644
index 0000000..61e6f51
--- /dev/null
+++ b/policy/modules/services/consolekit.te
@@ -0,0 +1,49 @@
+
+policy_module(consolekit,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type consolekit_t;
+type consolekit_exec_t;
+init_daemon_domain(consolekit_t, consolekit_exec_t)
+
+########################################
+#
+# consolekit local policy
+#
+
+allow consolekit_t self:capability { sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:process getsched;
+allow consolekit_t self:fifo_file rw_fifo_file_perms;
+allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_read_urand(consolekit_t)
+dev_read_sysfs(consolekit_t)
+
+domain_read_all_domains_state(consolekit_t)
+domain_use_interactive_fds(consolekit_t)
+
+files_read_etc_files(consolekit_t)
+
+init_use_script_ptys(consolekit_t)
+
+libs_use_ld_so(consolekit_t)
+libs_use_shared_libs(consolekit_t)
+
+miscfiles_read_localization(consolekit_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(consolekit_t)
+	term_dontaudit_use_generic_ptys(consolekit_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client_template(consolekit, consolekit_t)
+	dbus_send_system_bus(consolekit_t)
+	dbus_connect_system_bus(consolekit_t)
+
+	hal_dbus_chat(consolekit_t)
+')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 19df0fb..4e689b4 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.5.1)
+policy_module(unconfined,1.5.2)
 
 ########################################
 #
@@ -80,6 +80,10 @@ ifdef(`targeted_policy',`
 		')
 
 		optional_policy(`
+			consolekit_dbus_chat(unconfined_t)
+		')
+
+		optional_policy(`
 			cups_dbus_chat_config(unconfined_t)
 		')

More information about the scm-commits mailing list